Flash Security

[phishintrip007]

I have a question about Adobe Flash and security. I want to use adobe flash because Gnash and swfdec don't seem to work on a lot of sites but I am concerned over the security warning. What exactly is the security issue? Is it within the adobe flash package itself or is it a gentoo specific issue? Is there a way to still use adobe flash and isolate it from anything else critical/personal/confidential on my machine or is it one or the other?

[ChrisJumper]

Hi phishintrip007!

Lets talk about it. Adobe Flash is a grow old, piece of Software. I don't take a look at code myself but read and hear about people that worked on it or wrote exploits. Adobe Flash have major bugs -by design-, one is that it try to support old versions/formats/standards. To run nearly everything that was developed and supported by flash from 1992 up to today.

It also implements some codecs for sound, images and video formates about the years. And that make it so dangerous to use it.

Its just a question about time to find a new exploit. Mostly the exploits grants user access on your machine, which execute the browser that run the flash-plugin. From the users point of view its easy to go ahead, attack your Sound or Videocard-driver.

Thats why it is so dangerous. So use a flashblock addon to deactivate flashcode, that you don't need. For it you will get an Play-Symbol on youtube for example that you have to click before you start that code. Its also nice to deactivate some advertising banner.

This is the true reason why apple and others will not have flash on there systems, sometimes its about jail breaking too. If you have your own squit-proxy Server you could take a look at the blitzableiter project Blitz is the german word for flash and blitzableiter is a lightning rod or lightning conductor.

I see now that this project supports some plugins for firefox too. It go some steps further and try to analyse the implemented flash object's for "bad stuff". As far as i memorize its not a black white list like virus scanners... oh just read this from the wikipage:

[cach0rr0]

an alternative to a separate plugin - for chromium at least, there is a "Click to Play" feature you can enable
it basically functions the same way as flashblock
and can be used for things like java as well
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash

[phishintrip007]

Thanks for the response guys! I really like that flashblock plugin for several reasons, mostly blocking the flash i dont want to see (ads). I know you can't protect people from themselves so I am fine with it allowing me to play whatever I click on and blocking everything else. I just don't want the browser autorunning everything.